<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>39.4. Global Session Management</title>
<link rel="stylesheet" href="dbstyle.css" type="text/css">
<meta name="generator" content="DocBook XSL Stylesheets V1.72.0">
<link rel="start" href="index.html" title="Programmer's Reference Guide">
<link rel="up" href="zend.session.html" title="Chapter 39. Zend_Session">
<link rel="prev" href="zend.session.advanced_usage.html" title="39.3. Advanced Usage">
<link rel="next" href="zend.session.savehandler.dbtable.html" title="39.5. Zend_Session_SaveHandler_DbTable">
<link rel="chapter" href="introduction.html" title="Chapter 1. Introduction to Zend Framework">
<link rel="chapter" href="zend.acl.html" title="Chapter 2. Zend_Acl">
<link rel="chapter" href="zend.auth.html" title="Chapter 3. Zend_Auth">
<link rel="chapter" href="zend.cache.html" title="Chapter 4. Zend_Cache">
<link rel="chapter" href="zend.config.html" title="Chapter 5. Zend_Config">
<link rel="chapter" href="zend.console.getopt.html" title="Chapter 6. Zend_Console_Getopt">
<link rel="chapter" href="zend.controller.html" title="Chapter 7. Zend_Controller">
<link rel="chapter" href="zend.currency.html" title="Chapter 8. Zend_Currency">
<link rel="chapter" href="zend.date.html" title="Chapter 9. Zend_Date">
<link rel="chapter" href="zend.db.html" title="Chapter 10. Zend_Db">
<link rel="chapter" href="zend.debug.html" title="Chapter 11. Zend_Debug">
<link rel="chapter" href="zend.dojo.html" title="Chapter 12. Zend_Dojo">
<link rel="chapter" href="zend.dom.html" title="Chapter 13. Zend_Dom">
<link rel="chapter" href="zend.exception.html" title="Chapter 14. Zend_Exception">
<link rel="chapter" href="zend.feed.html" title="Chapter 15. Zend_Feed">
<link rel="chapter" href="zend.filter.html" title="Chapter 16. Zend_Filter">
<link rel="chapter" href="zend.form.html" title="Chapter 17. Zend_Form">
<link rel="chapter" href="zend.gdata.html" title="Chapter 18. Zend_Gdata">
<link rel="chapter" href="zend.http.html" title="Chapter 19. Zend_Http">
<link rel="chapter" href="zend.infocard.html" title="Chapter 20. Zend_InfoCard">
<link rel="chapter" href="zend.json.html" title="Chapter 21. Zend_Json">
<link rel="chapter" href="zend.layout.html" title="Chapter 22. Zend_Layout">
<link rel="chapter" href="zend.ldap.html" title="Chapter 23. Zend_Ldap">
<link rel="chapter" href="zend.loader.html" title="Chapter 24. Zend_Loader">
<link rel="chapter" href="zend.locale.html" title="Chapter 25. Zend_Locale">
<link rel="chapter" href="zend.log.html" title="Chapter 26. Zend_Log">
<link rel="chapter" href="zend.mail.html" title="Chapter 27. Zend_Mail">
<link rel="chapter" href="zend.measure.html" title="Chapter 28. Zend_Measure">
<link rel="chapter" href="zend.memory.html" title="Chapter 29. Zend_Memory">
<link rel="chapter" href="zend.mime.html" title="Chapter 30. Zend_Mime">
<link rel="chapter" href="zend.openid.html" title="Chapter 31. Zend_OpenId">
<link rel="chapter" href="zend.paginator.html" title="Chapter 32. Zend_Paginator">
<link rel="chapter" href="zend.pdf.html" title="Chapter 33. Zend_Pdf">
<link rel="chapter" href="zend.registry.html" title="Chapter 34. Zend_Registry">
<link rel="chapter" href="zend.rest.html" title="Chapter 35. Zend_Rest">
<link rel="chapter" href="zend.search.lucene.html" title="Chapter 36. Zend_Search_Lucene">
<link rel="chapter" href="zend.server.html" title="Chapter 37. Zend_Server">
<link rel="chapter" href="zend.service.html" title="Chapter 38. Zend_Service">
<link rel="chapter" href="zend.session.html" title="Chapter 39. Zend_Session">
<link rel="chapter" href="zend.soap.html" title="Chapter 40. Zend_Soap">
<link rel="chapter" href="zend.test.html" title="Chapter 41. Zend_Test">
<link rel="chapter" href="zend.text.html" title="Chapter 42. Zend_Text">
<link rel="chapter" href="zend.timesync.html" title="Chapter 43. Zend_TimeSync">
<link rel="chapter" href="zend.translate.html" title="Chapter 44. Zend_Translate">
<link rel="chapter" href="zend.uri.html" title="Chapter 45. Zend_Uri">
<link rel="chapter" href="zend.validate.html" title="Chapter 46. Zend_Validate">
<link rel="chapter" href="zend.version.html" title="Chapter 47. Zend_Version">
<link rel="chapter" href="zend.view.html" title="Chapter 48. Zend_View">
<link rel="chapter" href="zend.xmlrpc.html" title="Chapter 49. Zend_XmlRpc">
<link rel="appendix" href="requirements.html" title="Appendix A. Zend Framework Requirements">
<link rel="appendix" href="coding-standard.html" title="Appendix B. Zend Framework Coding Standard for PHP">
<link rel="appendix" href="copyrights.html" title="Appendix C. Copyright Information">
<link rel="index" href="the.index.html" title="Index">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.configuration_options" title="39.4.1. Configuration Options">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.headers_sent" title="39.4.2. Error: Headers Already Sent">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.session_identifiers" title="39.4.3. Session Identifiers">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.rememberme" title="39.4.4. rememberMe(integer $seconds)">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.forgetme" title="39.4.5. forgetMe()">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.sessionexists" title="39.4.6. sessionExists()">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.destroy" title="39.4.7. destroy(bool $remove_cookie = true, bool $readonly = true)">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.stop" title="39.4.8. stop()">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.writeclose" title="39.4.9. writeClose($readonly = true)">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.expiresessioncookie" title="39.4.10. expireSessionCookie()">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.savehandler" title="39.4.11. setSaveHandler(Zend_Session_SaveHandler_Interface $interface)">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.namespaceisset" title="39.4.12. namespaceIsset($namespace)">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.namespaceunset" title="39.4.13. namespaceUnset($namespace)">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.namespaceget" title="39.4.14. namespaceGet($namespace)">
<link rel="subsection" href="zend.session.global_session_management.html#zend.session.global_session_management.getiterator" title="39.4.15. getIterator()">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader"><table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center">39.4. Global Session Management</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="zend.session.advanced_usage.html">Prev</a> </td>
<th width="60%" align="center">Chapter 39. Zend_Session</th>
<td width="20%" align="right"> <a accesskey="n" href="zend.session.savehandler.dbtable.html">Next</a>
</td>
</tr>
</table></div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="zend.session.global_session_management"></a>39.4. Global Session Management</h2></div></div></div>
<p>
        The default behavior of sessions can be modified using the static methods of Zend_Session. All management and
        manipulation of global session management occurs using Zend_Session, including configuration of the
        <a href="http://www.php.net/session#session.configuration" target="_top">usual options provided by ext/session</a>,
        using <code class="code">Zend_Session::setOptions()</code>. For example, failure to insure the use of a safe
        <code class="code">save_path</code> or a unique cookie name by ext/session using <code class="code">Zend_Session::setOptions()</code> may
        result in security issues.
    </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.configuration_options"></a>39.4.1. Configuration Options</h3></div></div></div>
<p>
            When the first session namespace is requested, Zend_Session will automatically start the PHP session, unless
            already started with
            <a href="zend.session.advanced_usage.html#zend.session.advanced_usage.starting_a_session" title="39.3.1. Starting a Session"><code class="code">Zend_Session::start()</code></a>.
            The underlying PHP session will use defaults from Zend_Session, unless modified first by
            <code class="code">Zend_Session::setOptions()</code>.
        </p>
<p>
            To set a session configuration option, include the basename (the part of the name after
            "<code class="code">session.</code>") as a key of an array passed to <code class="code">Zend_Session::setOptions()</code>. The
            corresponding value in the array is used to set the session option value. If no options are set by the
            developer, Zend_Session will utilize recommended default options first, then the default php.ini settings.
            Community feedback about best practices for these options should be sent to
            <a href="mailto:fw-auth@lists.zend.com" target="_top">fw-auth@lists.zend.com</a>.
        </p>
<div class="example">
<a name="zend.session.global_session_management.setoptions.example"></a><p class="title"><b>Example 39.16. Using Zend_Config to Configure Zend_Session</b></p>
<div class="example-contents">
<p>
                To configure this component using
                <a href="zend.config.adapters.ini.html" title="5.3. Zend_Config_Ini"><code class="code">Zend_Config_Ini</code></a>, first add the
                configuration options to the INI file:
            </p>
<pre class="programlisting">; Accept defaults for production
[production]
; bug_compat_42
; bug_compat_warn
; cache_expire
; cache_limiter
; cookie_domain
; cookie_lifetime
; cookie_path
; cookie_secure
; entropy_file
; entropy_length
; gc_divisor
; gc_maxlifetime
; gc_probability
; hash_bits_per_character
; hash_function
; name should be unique for each PHP application sharing the same domain name
name = UNIQUE_NAME
; referer_check
; save_handler
; save_path
; serialize_handler
; use_cookies
; use_only_cookies
; use_trans_sid

; remember_me_seconds = &lt;integer seconds&gt;
; strict = on|off


; Development inherits configuration from production, but overrides several values
[development : production]
; Don't forget to create this directory and make it rwx (readable and modifiable) by PHP.
save_path = /home/myaccount/zend_sessions/myapp
use_only_cookies = on
; When persisting session id cookies, request a TTL of 10 days
remember_me_seconds = 864000
            </pre>
<p>
                Next, load the configuration file and pass its array representation to
                <code class="code">Zend_Session::setOptions()</code>:
            </p>
<pre class="programlisting">&lt;?php
require_once 'Zend/Config/Ini.php';
$config = new Zend_Config_Ini('myapp.ini', 'development');

require_once 'Zend/Session.php';
Zend_Session::setOptions($config-&gt;toArray());
            </pre>
</div>
</div>
<br class="example-break"><p>
            Most options shown above need no explanation beyond that found in the standard PHP documentation, but those
            of particular interest are noted below.
            </p>
<div class="itemizedlist"><ul type="opencircle">
<li style="list-style-type: circle"><p>
                        boolean <code class="code">strict</code> - disables automatic starting of <code class="code">Zend_Session</code> when
                        using <code class="code">new Zend_Session_Namespace()</code>.
                    </p></li>
<li style="list-style-type: circle"><p>
                        integer <code class="code">remember_me_seconds</code> - how long should session id cookie persist, after user
                        agent has ended (e.g., browser application terminated).
                    </p></li>
<li style="list-style-type: circle">
<p>
                        string <code class="code">save_path</code> - The correct value is system dependent, and should be provided by
                        the developer using an <span class="strong"><strong>absolute path</strong></span> to a directory readable
                        and writable by the PHP process.  If a writable path is not supplied, then
                        <code class="code">Zend_Session</code> will throw an exception when started (i.e., when <code class="code">start()</code>
                        is called).
                    </p>
<div class="note"><table border="0" summary="Note: Security Risk">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Security Risk</th>
</tr>
<tr><td align="left" valign="top">
<p>
                            If the path is readable by other applications, then session hijacking might be possible. If
                            the path is writable by other applications, then
                            <a href="http://en.wikipedia.org/wiki/Session_poisoning" target="_top">session poisoning</a>
                            might be possible. If this path is shared with other users or other PHP applications,
                            various security issues might occur, including theft of session content, hijacking of
                            sessions, and collision of garbage collection (e.g., another user's application might cause
                            PHP to delete your application's session files).
                        </p>
<p>
                            For example, an attacker can visit the victim's website to obtain a session cookie. Then, he
                            edits the cookie path to his own domain on the same server, before visiting his own website
                            to execute <code class="code">var_dump($_SESSION)</code>. Armed with detailed knowledge of the victim's
                            use of data in their sessions, the attacker can then modify the session state (poisoning the
                            session), alter the cookie path back to the victim's website, and then make requests from
                            the victim's website using the poisoned session. Even if two applications on the same server
                            do not have read/write access to the other application's <code class="code">save_path</code>, if the
                            <code class="code">save_path</code> is guessable, and the attacker has control over one of these two
                            websites, the attacker could alter their website's <code class="code">save_path</code> to use the other's
                            save_path, and thus accomplish session poisoning, under some common configurations of PHP.
                            Thus, the value for <code class="code">save_path</code> should not be made public knowledge and should be
                            altered to a secure location unique to each application.
                        </p>
</td></tr>
</table></div>
</li>
<li style="list-style-type: circle">
<p>
                        string <code class="code">name</code> - The correct value is system dependent and should be provided by the
                        developer using a value <span class="strong"><strong>unique</strong></span> to the application.
                    </p>
<div class="note"><table border="0" summary="Note: Security Risk">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Security Risk</th>
</tr>
<tr><td align="left" valign="top"><p>
                            If the <code class="code">php.ini</code> setting for <code class="code">session.name</code> is the same (e.g., the
                            default "PHPSESSID"), and there are two or more PHP applications accessible through the same
                            domain name then they will share the same session data for visitors to both websites.
                            Additionally, possible corruption of session data may result.
                        </p></td></tr>
</table></div>
</li>
<li style="list-style-type: circle">
<p>
                        boolean <code class="code">use_only_cookies</code> - In order to avoid introducing additional security risks,
                        do not alter the default value of this option.
                        </p>
<div class="note"><table border="0" summary="Note: Security Risk">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Security Risk</th>
</tr>
<tr><td align="left" valign="top"><p>
                                If this setting is not enabled, an attacker can easily fix victim's session ids, using
                                links on the attacker's website, such as
                                <code class="code">http://www.example.com/index.php?PHPSESSID=fixed_session_id</code>. The fixation
                                works, if the victim does not already have a session id cookie for example.com. Once a
                                victim is using a known session id, the attacker can then attempt to hijack the session
                                by pretending to be the victim, and emulating the victim's user agent.
                            </p></td></tr>
</table></div>
<p>
                    </p>
</li>
</ul></div>
<p>
        </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.headers_sent"></a>39.4.2. Error: Headers Already Sent</h3></div></div></div>
<p>
            If you see the error message, "Cannot modify header information - headers already sent", or, "You must call
            ... before any output has been sent to the browser; output started in ...", then carefully examine the
            immediate cause (function or method) associated with the message. Any actions that require sending HTTP
            headers, such as sending a cookie, must be done before sending normal output (unbuffered output), except
            when using PHP's output buffering.
        </p>
<div class="itemizedlist"><ul type="opencircle">
<li style="list-style-type: circle"><p>
                    Using <a href="http://php.net/outcontrol" target="_top">output buffering</a> often is sufficient to prevent
                    this issue, and may help improve performance. For example, in <code class="code">php.ini</code>,
                    "<code class="code">output_buffering = 65535</code>" enables output buffering with a 64K buffer. Even though
                    output buffering might be a good tactic on production servers to increase performance, relying only
                    on buffering to resolve the "headers already sent" problem is not sufficient. The application must
                    not exceed the buffer size, or the problem will occur whenever the output sent (prior to the HTTP
                    headers) exceeds the buffer size.
                </p></li>
<li style="list-style-type: circle"><p>
                    Alternatively, try rearranging the application logic so that actions manipulating headers are
                    performed prior to sending any output whatsoever.
                </p></li>
<li style="list-style-type: circle"><p>
                    If a Zend_Session method is involved in causing the error message, examine the method carefully, and
                    make sure its use really is needed in the application. For example, the default usage of
                    <code class="code">destroy()</code> also sends an HTTP header to expire the client-side session cookie. If this
                    is not needed, then use <code class="code">destroy(false)</code>, since the instructions to set cookies are sent
                    with HTTP headers.
                </p></li>
<li style="list-style-type: circle"><p>
                    Alternatively, try rearranging the application logic so that all actions manipulating headers are
                    performed prior to sending any output whatsoever.
                </p></li>
<li style="list-style-type: circle"><p>
                    Remove any closing "<code class="code">?&gt;</code>" tags, if they occur at the end of a PHP source file. They
                    are not needed, and newlines and other nearly invisible whitespace following the closing tag can
                    trigger output to the client.
                </p></li>
</ul></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.session_identifiers"></a>39.4.3. Session Identifiers</h3></div></div></div>
<p>
            Introduction: Best practice in relation to using sessions with ZF calls for using a browser cookie (i.e.
            a normal cookie stored in your web browser), instead of embedding a unique session identifier in URLs as
            a means to track individual users. By default this component uses only cookies to maintain session
            identifiers. The cookie's value is the unique identifier of your browser's session. PHP's ext/session
            uses this identifier to maintain a unique one-to-one relationship between website visitors, and
            persistent session data storage unique to each visitor. Zend_Session* wraps this storage mechanism
            (<code class="code">$_SESSION</code>) with an object-oriented interface. Unfortunately, if an attacker gains access
            to the value of the cookie (the session id), an attacker might be able to hijack a visitor's session.
            This problem is not unique to PHP, or the Zend Framework. The <code class="code">regenerateId()</code> method allows
            an application to change the session id (stored in the visitor's cookie) to a new, random, unpredictable
            value. Note: Although not the same, to make this section easier to read, we use the terms "user agent"
            and "web browser" interchangeably.
        </p>
<p>
            Why?: If an attacker obtains a valid session identifier, an attacker might be able to impersonate a
            valid user (the victim), and then obtain access to confidential information or otherwise manipulate the
            victim's data managed by your application. Changing session ids helps protect against session hijacking.
            If the session id is changed, and an attacker does not know the new value, the attacker can not use the
            new session id in their attempts to hijack the visitor's session. Even if an attacker gains access to an
            old session id, <code class="code">regenerateId()</code> also moves the session data from the old session id "handle"
            to the new one, so no data remains accessible via the old session id.
        </p>
<p>
            When to use regenerateId(): Adding <code class="code">Zend_Session::regenerateId()</code> to your Zend Framework
            bootstrap yields one of the safest and most secure ways to regenerate session id's in user agent
            cookies. If there is no conditional logic to determine when to regenerate the session id, then there are
            no flaws in that logic. Although regenerating on every request prevents several possible avenues of
            attack, not everyone wants the associated small performance and bandwidth cost. Thus, applications
            commonly try to dynamically determine situations of greater risk, and only regenerate the session ids in
            those situations. Whenever a website visitor's session's privileges are "escalated" (e.g. a visitor
            re-authenticates their identity before editing their personal "profile"), or whenever a security
            "sensitive" session parameter change occurs, consider using <code class="code">regenerateId()</code> to create a new
            session id. If you call the <code class="code">rememberMe()</code> function, then don't use
            <code class="code">regenerateId()</code>, since the former calls the latter. If a user has successfully logged into
            your website, use <code class="code">rememberMe()</code> instead of <code class="code">regenerateId()</code>.
        </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="zend.session.global_session_management.session_identifiers.hijacking_and_fixation"></a>39.4.3.1. Session Hijacking and Fixation</h4></div></div></div>
<p>
                Avoiding <a href="http://en.wikipedia.org/wiki/Cross_site_scripting" target="_top">cross-site script (XSS)
                vulnerabilities</a> helps preventing session hijacking. According to
                <a href="http://secunia.com/" target="_top">Secunia's</a> statistics XSS problems occur frequently, regardless
                of the languages used to create web applications. Rather than expecting to never have a XSS problem with
                an application, plan for it by following best practices to help minimize damage, if it occurs. With XSS,
                an attacker does not need direct access to a victim's network traffic. If the victim already has a
                session cookie, Javascript XSS might allow an attacker to read the cookie and steal the session. For
                victims with no session cookies, using XSS to inject Javascript, an attacker could create a session id
                cookie on the victim's browser with a known value, then set an identical cookie on the attacker's
                system, in order to hijack the victim's session. If the victim visited an attacker's website, then the
                attacker can also emulate most other identifiable characteristics of the victim's user agent. If your
                website has an XSS vulnerability, the attacker might be able to insert an AJAX Javascript that secretly
                "visits" the attacker's website, so that the attacker knows the victim's browser characteristics and
                becomes aware of a compromised session at the victim website. However, the attacker can not arbitrarily
                alter the server-side state of PHP sessions, provided the developer has correctly set the value for the
                <code class="code">save_path</code> option.
            </p>
<p>
                By itself, calling <code class="code">Zend_Session::regenerateId()</code> when the user's session is first used, does
                not prevent session fixation attacks, unless you can distinguish between a session originated by an
                attacker emulating the victim. At first, this might sound contradictory to the previous statement above,
                until we consider an attacker who first initiates a real session on your website. The session is "first
                used" by the attacker, who then knows the result of the initialization (<code class="code">regenerateId()</code>).
                The attacker then uses the new session id in combination with an XSS vulnerability, or injects the
                session id via a link on the attacker's website (works if <code class="code">use_only_cookies = off</code>).
            </p>
<p>
                If you can distinguish between an attacker and victim using the same session id, then session hijacking
                can be dealt with directly. However, such distinctions usually involve some form of usability tradeoffs,
                because the methods of distinction are often imprecise. For example, if a request is received from an IP
                in a different country than the IP of the request when the session was created, then the new request
                probably belongs to an attacker. Under the following conditions, there might not be any way for a
                website application to distinguish between a victim and an attacker:
                </p>
<div class="itemizedlist"><ul type="opencircle">
<li style="list-style-type: circle"><p>
                            - attacker first initiates a session on your website to obtain a valid session id
                        </p></li>
<li style="list-style-type: circle"><p>
                            - attacker uses XSS vulnerability on your website to create a cookie on the victim's browser
                            with the same, valid session id (i.e. session fixation)
                        </p></li>
<li style="list-style-type: circle"><p>
                            - both the victim and attacker originate from the same proxy farm (e.g. both are behind the
                            same firewall at a large company, like AOL)
                        </p></li>
</ul></div>
<p>
                The sample code below makes it much harder for an attacker to know the current victim's session id,
                unless the attacker has already performed the first two steps above.
            </p>
<div class="example">
<a name="zend.session.global_session_management.session_identifiers.hijacking_and_fixation.example"></a><p class="title"><b>Example 39.17. Session Fixation</b></p>
<div class="example-contents"><pre class="programlisting">&lt;?php
require_once 'Zend/Session/Namespace.php';
$defaultNamespace = new Zend_Session_Namespace();

if (!isset($defaultNamespace-&gt;initialized)) {
    Zend_Session::regenerateId();
    $defaultNamespace-&gt;initialized = true;
}
                </pre></div>
</div>
<br class="example-break">
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.rememberme"></a>39.4.4. <code class="code">rememberMe(integer $seconds)</code>
</h3></div></div></div>
<p>
            Ordinarily, sessions end when the user agent terminates, such as when an end user exits a web browser
            program. However, your application may provide the ability to extend user sessions beyond the lifetime of
            the client program through the use of persistent cookies. Use <code class="code">Zend_Session::rememberMe()</code> before
            a session is started to control the length of time before a persisted session cookie expires. If you do not
            specify a number of seconds, then the session cookie lifetime defaults to <code class="code">remember_me_seconds</code>,
            which may be set using <code class="code">Zend_Session::setOptions()</code>. To help thwart session fixation/hijacking,
            use this function when a user successfully authenticates with your application (e.g., from a "login" form).
        </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.forgetme"></a>39.4.5. <code class="code">forgetMe()</code>
</h3></div></div></div>
<p>
            This function complements <code class="code">rememberMe()</code> by writing a session cookie that has a lifetime ending
            when the user agent terminates.
        </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.sessionexists"></a>39.4.6. <code class="code">sessionExists()</code>
</h3></div></div></div>
<p>
            Use this method to determine if a session already exists for the current user agent/request. It may be used
            before starting a session, and independently of all other <code class="code">Zend_Session</code> and
            <code class="code">Zend_Session_Namespace</code> methods.
        </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.destroy"></a>39.4.7. <code class="code">destroy(bool $remove_cookie = true, bool $readonly = true)</code>
</h3></div></div></div>
<p>
            <code class="code">Zend_Session::destroy()</code> destroys all of the persistent data associated with the current
            session. However, no variables in PHP are affected, so your namespaced sessions (instances of
            <code class="code">Zend_Session_Namespace</code>) remain readable. To complete a "logout", set the optional parameter to
            <code class="code">true</code> (the default) to also delete the user agent's session id cookie. The optional
            <code class="code">$readonly</code> parameter removes the ability to create new <code class="code">Zend_Session_Namespace</code>
            instances and for <code class="code">Zend_Session</code> methods to write to the session data store.
        </p>
<p>
            If you see the error message, "Cannot modify header information - headers already sent", then either avoid
            using <code class="code">true</code> as the value for the first argument (requesting removal of the session cookie), or
            see <a href="zend.session.global_session_management.html#zend.session.global_session_management.headers_sent" title="39.4.2. Error: Headers Already Sent">Section 39.4.2, “Error: Headers Already Sent”</a>. Thus,
            <code class="code">Zend_Session::destroy(true)</code> must either be called before PHP has sent HTTP headers, or output
            buffering must be enabled. Also, the total output sent must not exceed the set buffer size, in order to
            prevent triggering sending the output before the call to <code class="code">destroy()</code>.
        </p>
<div class="note"><table border="0" summary="Note: Throws">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Throws</th>
</tr>
<tr><td align="left" valign="top"><p>
                By default, <code class="code">$readonly</code> is enabled and further actions involving writing to the session data
                store will throw an exception.
            </p></td></tr>
</table></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.stop"></a>39.4.8. <code class="code">stop()</code>
</h3></div></div></div>
<p>
            This method does absolutely nothing more than toggle a flag in Zend_Session to prevent further writing to
            the session data store. We are specifically requesting feedback on this feature. Potential uses/abuses might
            include temporarily disabling the use of <code class="code">Zend_Session_Namespace</code> instances or
            <code class="code">Zend_Session</code> methods to write to the session data store, while execution is transfered to view-
            related code. Attempts to perform actions involving writes via these instances or methods will throw an
            exception.
        </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.writeclose"></a>39.4.9. <code class="code">writeClose($readonly = true)</code>
</h3></div></div></div>
<p>
            Shutdown the session, close writing and detach <code class="code">$_SESSION</code> from the back-end storage mechanism.
            This will complete the internal data transformation on this request. The optional <code class="code">$readonly</code>
            boolean parameter can remove write access by throwing an exception upon any attempt to write to the session
            via <code class="code">Zend_Session</code> or <code class="code">Zend_Session_Namespace</code>.
        </p>
<div class="note"><table border="0" summary="Note: Throws">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Throws</th>
</tr>
<tr><td align="left" valign="top"><p>
                By default, <code class="code">$readonly</code> is enabled and further actions involving writing to the session data
                store will throw an exception. However, some legacy application might expect <code class="code">$_SESSION</code> to
                remain writable after ending the session via <code class="code">session_write_close()</code>. Although not considered
                "best practice", the <code class="code">$readonly</code> option is available for those who need it.
            </p></td></tr>
</table></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.expiresessioncookie"></a>39.4.10. <code class="code">expireSessionCookie()</code>
</h3></div></div></div>
<p>
            This method sends an expired session id cookie, causing the client to delete the session cookie. Sometimes
            this technique is used to perform a client-side logout.
        </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.savehandler"></a>39.4.11. <code class="code">setSaveHandler(Zend_Session_SaveHandler_Interface $interface)</code>
</h3></div></div></div>
<p>
            Most developers will find the default save handler sufficient. This method provides an object-oriented
            wrapper for
            <a href="http://php.net/session_set_save_handler" target="_top"><code class="code">session_set_save_handler()</code></a>.
        </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.namespaceisset"></a>39.4.12. <code class="code">namespaceIsset($namespace)</code>
</h3></div></div></div>
<p>
            Use this method to determine if a session namespace exists, or if a particular index exists in a particular
            namespace.
        </p>
<div class="note"><table border="0" summary="Note: Throws">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Throws</th>
</tr>
<tr><td align="left" valign="top"><p>
                An exception will be thrown if <code class="code">Zend_Session</code> is not marked as readable (e.g., before <code class="code">
                Zend_Session</code> has been started).
            </p></td></tr>
</table></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.namespaceunset"></a>39.4.13. <code class="code">namespaceUnset($namespace)</code>
</h3></div></div></div>
<p>
            Use <code class="code">Zend_Session::namespaceUnset($namespace)</code> to efficiently remove an entire namespace and its
            contents. As with all arrays in PHP, if a variable containing an array is unset, and the array contains
            other objects, those objects will remain available, if they were also stored by reference in other
            array/objects that remain accessible via other variables. So <code class="code">namespaceUnset()</code> does not perform
            a "deep" unsetting/deleting of the contents of the entries in the namespace. For a more detailed
            explanation, please see <a href="http://php.net/references" target="_top">References Explained</a> in the PHP
            manual.
        </p>
<div class="note"><table border="0" summary="Note: Throws">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Throws</th>
</tr>
<tr><td align="left" valign="top"><p>
                An exception will be thrown if the namespace is not writable (e.g., after <code class="code">destroy()</code>).
            </p></td></tr>
</table></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.namespaceget"></a>39.4.14. <code class="code">namespaceGet($namespace)</code>
</h3></div></div></div>
<p>
            DEPRECATED: Use <code class="code">getIterator()</code> in <code class="code">Zend_Session_Namespace</code>. This method returns an
            array of the contents of <code class="code">$namespace</code>. If you have logical reasons to keep this method publicly
            accessible, please provide feedback to the
            <a href="mailto:fw-auth@lists.zend.com" target="_top">fw-auth@lists.zend.com</a> mail list. Actually, all
            participation on any relevant topic is welcome :)
        </p>
<div class="note"><table border="0" summary="Note: Throws">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Throws</th>
</tr>
<tr><td align="left" valign="top"><p>
                An exception will be thrown if <code class="code">Zend_Session</code> is not marked as readable (e.g., before
                <code class="code">Zend_Session</code> has been started).
            </p></td></tr>
</table></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zend.session.global_session_management.getiterator"></a>39.4.15. <code class="code">getIterator()</code>
</h3></div></div></div>
<p>
            Use <code class="code">getIterator()</code> to obtain an array containing the names of all namespaces.
        </p>
<div class="note"><table border="0" summary="Note: Throws">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Throws</th>
</tr>
<tr><td align="left" valign="top"><p>
                An exception will be thrown if <code class="code">Zend_Session</code> is not marked as readable (e.g., before
                <code class="code">Zend_Session</code> has been started).
            </p></td></tr>
</table></div>
</div>
</div>
<div class="navfooter"><table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="zend.session.advanced_usage.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="zend.session.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="zend.session.savehandler.dbtable.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">39.3. Advanced Usage </td>
<td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
<td width="40%" align="right" valign="top"> 39.5. Zend_Session_SaveHandler_DbTable</td>
</tr>
</table></div>
<div class="revinfo"></div>
</body>
</html>
